Let me start of by saying that I'm a noob, and what I've figured out so far has only been by stumbling my way through it. I have Googled around and the solution may be out there already, but it was probably all just way over my head, so PLEASE include as much detail as possible in your solution.
I have a Ubuntu 10.04 server running Asterisk for an automated phone system. Its sole purpose is incoming calls, and it never connects to a person. It is an phone-licensing system, so they input the information about their product and we output an unlock code for them to type into the program. When a call is received, it executes a Perl script with AGI, the script is a series of prompts followed by the output of the unlock code.
All of this is working great. However, it seemed to stop working on occasion. I looked at the Asterisk logs and found a TON of entries like this:
[May 22 10:51:27] NOTICE[10663] chan_sip.c: Registration from '"guest12345"<sip:guest12345@xx.xx.xx.xx>' failed for 'yy.yy.yy.yy' - No matching peer found
These are obviously intrusion attempts. xx.xx.xx.xx is my server's IP address and yy.yy.yy.yy is presumably the intruder's IP address.
I researched a bit on Google and found a solution by setting up Fail2Ban, which seems to be working. This morning, it has banned two ip addresses so far after 5 unsuccessful intrusion attempts.
I'm fairly confident that nobody will be able to get in within only 5 attempts, but this still seems less secure than I would like.
My understanding is that the Asterisk service running on my server goes out and registers with my VoIP provider every so often to tell it that it's still connected and ready to receive calls. As far as I know, that's the only "registration" necessary, so is there a way for me to block all outside registration attempts?
Perhaps I'm wrong about this, but it looks to me as though they are trying to register with my server as though my server was the VoIP provider. Perhaps that's the way you get an actual phone to connect with the Asterisk server? Since no actual phones are involved on my end (incoming calls only, never transferred to a person), is there a way for me to disable this part altogether?
EDIT:
From sip.conf:
registerattempts=0 ; Number of registration attempts before we give up
; 0 = continue forever, hammering the other server
; until it accepts the registration
; Default is 0 tries, continue forever
register => 1111111:password:1111111@sip.inphonex.com:5060/700
[inphonex]
type=peer
username=1111111
fromuser=1111111
secret=password ; password used to login their website (same as in register =>)
host=sip.inphonex.com
fromdomain=sip.inphonex.com
nat=yes ; my asterisk is behind nat
canreinvite=yes
qualify=yes
context=inbound-inphonex; context to be used in extensions.conf for inbound calls from inphonex
disallow=all
allow=ulaw
allow=alaw
allow=gsm
insecure=port,invite
Best Answer
You are correct that " that's the way you get an actual phone to connect with the Asterisk server". Phones register to the server on the same port that's used to register with the provider.
If you are only using SIP to talk to the provider, then simply set-up a firewall to only allow SIP from the provider.
Fail2Ban is one solution but gives adversaries 5 chances when they should be getting none.